From metatracker at psf.upfronthosting.co.za Tue Jul 21 14:36:01 2009 From: metatracker at psf.upfronthosting.co.za (R David Murray) Date: Tue, 21 Jul 2009 12:36:01 +0000 Subject: [Tracker-discuss] [issue295] title is changed by email updates when only whitespace had changed In-Reply-To: <1248179761.3.0.0135867721483.issue295@psf.upfronthosting.co.za> Message-ID: <1248179761.3.0.0135867721483.issue295@psf.upfronthosting.co.za> New submission from R David Murray : When someone responds to an issue email, the tracker will change the title when the only thing that has changed is whitespace (generally a tab introduced by the respondent's email client). It would be better if whitespace changes were ignored. ---------- messages: 1445 nosy: r.david.murray priority: bug status: unread title: title is changed by email updates when only whitespace had changed _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Tue Jul 21 21:51:14 2009 From: metatracker at psf.upfronthosting.co.za (Adam Olsen) Date: Tue, 21 Jul 2009 19:51:14 +0000 Subject: [Tracker-discuss] [issue296] XSS vulnerability in ok_message In-Reply-To: <1248205874.61.0.225589760626.issue296@psf.upfronthosting.co.za> Message-ID: <1248205874.61.0.225589760626.issue296@psf.upfronthosting.co.za> New submission from Adam Olsen : http://bugs.python.org/issue6535?@ok_message=%3Ci%3Ebob%20was%20there%20too%3C/i%3E ---------- messages: 1446 nosy: rhamphoryncus priority: urgent status: unread title: XSS vulnerability in ok_message _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Tue Jul 21 23:10:27 2009 From: metatracker at psf.upfronthosting.co.za (=?utf-8?q?Martin_v=2E_L=C3=B6wis?=) Date: Tue, 21 Jul 2009 21:10:27 +0000 Subject: [Tracker-discuss] [issue296] XSS vulnerability in ok_message In-Reply-To: <1248205874.61.0.225589760626.issue296@psf.upfronthosting.co.za> Message-ID: <1248210627.08.0.826973455611.issue296@psf.upfronthosting.co.za> Martin v. L?wis added the comment: Why is that a vulnerability? ---------- nosy: +loewis status: unread -> chatting _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Wed Jul 22 01:13:30 2009 From: metatracker at psf.upfronthosting.co.za (Adam Olsen) Date: Tue, 21 Jul 2009 23:13:30 +0000 Subject: [Tracker-discuss] [issue296] XSS vulnerability in ok_message In-Reply-To: <1248205874.61.0.225589760626.issue296@psf.upfronthosting.co.za> Message-ID: <1248218010.54.0.271885599872.issue296@psf.upfronthosting.co.za> Adam Olsen added the comment: If it allows arbitrary HTML is presumably allows javascript as well. http://en.wikipedia.org/wiki/Cross-site_scripting#Non-persistent It could, for instance, be used to steal bugtracker passwords or post spam. _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Wed Jul 22 05:24:59 2009 From: metatracker at psf.upfronthosting.co.za (=?utf-8?q?Martin_v=2E_L=C3=B6wis?=) Date: Wed, 22 Jul 2009 03:24:59 +0000 Subject: [Tracker-discuss] [issue296] XSS vulnerability in ok_message In-Reply-To: <1248205874.61.0.225589760626.issue296@psf.upfronthosting.co.za> Message-ID: <1248233099.84.0.28737656046.issue296@psf.upfronthosting.co.za> Martin v. L?wis added the comment: So if the ok_message would escape all HTML markup characters, it would not be vulnerable anymore, right? _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Wed Jul 22 06:16:07 2009 From: metatracker at psf.upfronthosting.co.za (Adam Olsen) Date: Wed, 22 Jul 2009 04:16:07 +0000 Subject: [Tracker-discuss] [issue296] XSS vulnerability in ok_message In-Reply-To: <1248205874.61.0.225589760626.issue296@psf.upfronthosting.co.za> Message-ID: <1248236167.22.0.886220401744.issue296@psf.upfronthosting.co.za> Adam Olsen added the comment: Right. It'd also be worth auditing for any similar vulnerabilities. _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Wed Jul 22 06:17:07 2009 From: metatracker at psf.upfronthosting.co.za (Adam Olsen) Date: Wed, 22 Jul 2009 04:17:07 +0000 Subject: [Tracker-discuss] [issue296] XSS vulnerability in ok_message In-Reply-To: <1248205874.61.0.225589760626.issue296@psf.upfronthosting.co.za> Message-ID: <1248236227.57.0.644340804595.issue296@psf.upfronthosting.co.za> Adam Olsen added the comment: ... amusingly, the ok_message I got from posting that uses a HTML tag. A
specifically. http://psf.upfronthosting.co.za/roundup/meta/issue296?@ok_message=msg%201450%20created%3Cbr%3Eissue%20296%20messages%20edited%20ok&@template=item _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Mon Jul 27 04:59:52 2009 From: metatracker at psf.upfronthosting.co.za (Ezio Melotti) Date: Mon, 27 Jul 2009 02:59:52 +0000 Subject: [Tracker-discuss] [issue295] title is changed by email updates when only whitespace had changed In-Reply-To: <1248179761.3.0.0135867721483.issue295@psf.upfronthosting.co.za> Message-ID: <1248663592.95.0.285846801904.issue295@psf.upfronthosting.co.za> Ezio Melotti added the comment: When a new issue is created or a message is added the title could be passed to re.sub('[\t\n\r\f\v]+', '', title). This will remove all the whitespaces except normal spaces (I don't see any valid reason to have tabs, newlines and similar in the title anyway). This regex will preserve the original normal spaces (so if the user put two or more spaces they will be saved as they are). A simpler approach is to use re.sub('\s+', ' ', title) (or ' '.join(title.split())) to replace all the whitespaces with a single space. ---------- nosy: +ezio.melotti status: unread -> chatting _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Mon Jul 27 05:28:51 2009 From: metatracker at psf.upfronthosting.co.za (Ezio Melotti) Date: Mon, 27 Jul 2009 03:28:51 +0000 Subject: [Tracker-discuss] [issue285] Add issue title to issue links, avoid linking to bogus issues In-Reply-To: <1242322496.14.0.859560166441.issue285@psf.upfronthosting.co.za> Message-ID: <1248665331.83.0.915980591726.issue285@psf.upfronthosting.co.za> Ezio Melotti added the comment: I also suggest to add in the title="" the status of the issue, something like title="[open|closed|pending] issue title here". The alternative is to use a CSS class (as suggested by ajaksu2) and text-decoration: line-through; or some color for closed issue, but imho this just introduces useless noise. Even if in this way the user can see immediately if the issue is closed or not he still has to read its title in order to know what the issue is about. (Setting the class="" is still a good idea, even if it's not used for this purpose.) ---------- nosy: +ezio.melotti _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Mon Jul 27 05:58:48 2009 From: metatracker at psf.upfronthosting.co.za (Ezio Melotti) Date: Mon, 27 Jul 2009 03:58:48 +0000 Subject: [Tracker-discuss] [issue276] RE for matching SVN paths needs fixing In-Reply-To: <1240676056.5.0.556496742683.issue276@psf.upfronthosting.co.za> Message-ID: <1248667128.84.0.912244594303.issue276@psf.upfronthosting.co.za> Ezio Melotti added the comment: My patch only fixed the regex that generates links to dir and files in the trunk, but not the one for revisions. The fix seems trivial though, replacing (?P\s+) with \b and removing \g as I did in the other regex should be enough. In the patch proposed by draghuram in #196 he also changed this: > 4) The resultant link name is always "revision " even if > the original string is "r" or "rev". This simplifies the RE and > I don't think we loose anything. I like this idea and I propose to extend it to the links to issues and to dirs/files in the trunk too. Ideally all the issue links would be in the form "#1234", the revisions in the form "r12345" and the urls in the form "Foo/bar/file.ext" where Foo is a dir in the trunk. The advantages of doing this are: more consistency (TMBOOWTDI (even if actually there are more ways, the output will always be the same and eventually more users will start using it)); simpler regex; less space wasted in the message (e.g. in http://bugs.python.org/msg80020 the 'http://svn.python.org/view/python/trunk/' part of the link won't be visible). ---------- nosy: +ezio.melotti status: resolved -> chatting _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Fri Jul 31 19:25:54 2009 From: metatracker at psf.upfronthosting.co.za (Brett C.) Date: Fri, 31 Jul 2009 17:25:54 +0000 Subject: [Tracker-discuss] [issue297] Problem at compilation on PBg4 MacOSX10.4 In-Reply-To: <1248942308.79.0.726816640951.issue297@psf.upfronthosting.co.za> Message-ID: <1249061154.96.0.775848945713.issue297@psf.upfronthosting.co.za> Brett C. added the comment: This bug tracker if for reporting issues with bugs.python.org, not issues with Python. To report a bug about Python report it on bugs.python.org. ---------- nosy: +brett.cannon status: unread -> chatting _______________________________________________________ PSF Meta Tracker _______________________________________________________